Attacks come from many angles in the Information Security game. To wit, a spat between two security vendors – Carbon Black and DirectDefense. DirectDefense released a report on Carbon Black’s Cb Response product. In a report titled “Harvesting Cb Response Data Leaks for fun and profit,” DirectDefense uncovered some disturbing data leakage.

Is so doing, DirectDefense also exposed its own deficiency of responsible disclosure. Carbon Black has stated that DirectDefense did not contact them prior to disclosure. It is probably no coincidence that DirectDefense was named Solutions Partner of the Year by Cylance. Cylance is a direct competitor of Carbon Black. Therefore, when DirectDefense used hyperbole-based comments like “world’s largest pay-for-play data exfiltration botnet” – it was over the top. Additionally the feature that allows the exfiltration of data is off by default and comes with a warning before enabling.

While the InfoSec universe is currently pummeling DirectDefense, what it discovered should in no way be dismissed so easily. First, the feature in question is one that allows files to be sent to a cloud-based multiscanner. In essence, to enhance the detection of infected files send them to a cloud hosted service that runs not one AV scanner but many AV scanners. VirusTotal in this case. Who would not want the extra protection?

As to the disclaimer Carbon Black is touting as assurance they warn all users, well that disclaimer is the normal legalese. A small excerpt follows:

By electing to enable the “Scan unknown binaries with VirusTotal” feature, your server will send unknown binaries to Carbon Black with your consent. By electing to enable the “Share binary hashes with VirusTotal” feature, your server will send binary hashes and other metadata to Carbon Black with your consent.

Neither the use of VirusTotal nor the disclaimer would make even the most hypersensitive InfoSec professional contemplate data leaking to other users of said service. Moreover, it would hardly cross the mind of a typical endpoint administrator.

What DirectDefense discovered is by using an analyst interface of the cloud-based multiscanner service they could see internal applications from a very large telecommunications equipment vendor. They continued to notice more such files from other companies. All these uploads were related to a particular API key – Carbon Black’s API key. DirectDefense in a display of more recklessness published the API key in their report. Again, their lack of professionalism does not distract from what they discovered.

By searching for similar uploads from that key, they found hundreds of thousands of files comprising terabytes of data. After downloading many samples, what they uncovered is very troubling.

From a large streaming media company:

Amazon Web Services (AWS) Identity and Access Management (IAM) Credentials for the Company

Slack API Keys for the Company

The Company’s Crowd (Atlassian Single Sign On) Admin Credentials

Google Play keys

Apple Store ID

From a social media company:

Hardcoded AWS and Azure keys

Other internal proprietary information, such as usernames and passwords

What broke down here is one of the main goals and complaints with the Information Security profession… lack of sharing. By putting protections in place inside a company then sharing up files that are unrecognized in any current corpus, you inevitably are sharing unique files. The information in those files may often contain data that needs to be protected. The fact that anyone with access to the multiscanner universe can see these files is disconcerting. Yet, if your part of the multiscanner universe is to examine the files and render judgement – you actually have to see the files.

DirectDefense poorly executed their discovery disclosure and no doubt did so purposefully. Thereby continuing the role of valued solutions partner. Yet what they discovered is a poorly executed protection scheme that is also poorly documented. The reach of this exposure seems vast considering Carbon Black’s industry penetration. How many other vendors are leveraging a multiscanner with API access? DirectDefense’s clumsy disclosure should not take away from what they did in fact discover.